Server issue question (nerd stuff here)

ERage

Giant Member
Nov 7, 2005
4,158
1
482
Marklar
₥10
So I am sitting in front of a server today that has been shall we say "compromised" This isn't usually my cup of tea but I somehow got stuck with the job of fixing/cleaning it.

From what I can tell, someone hacked it, installed some form of an edonkey/emule server on it and has been passing massive amounts of files over it the last couple of weeks. 2 harddrives that should have about 1-5 gigs of used space had 100-120 gigs of used space all conveniently hidden under that little hidden system "recycler" folder. Cleaning the drives is not an issue, I intend on backing each one up and then just formatting them since they are merely storage drives.

My question is: How the hell do you find and remove this filesharing program/virus/spyware whatever the hell it is. I can't even see an obvious process running that shouldn't be there but when I do port scans I see lots of file sharing activity. The machine is supposedly protected with Norton Corporate which isn't worth a crap. There must be at least 1 trojan on here and some file sharing program.

Any suggestions from all you experts out there that do this for a living, I'm just a lowly programmer, I don't usually deal with admin stuff.

Edit: reformatting is a very VERY undesirable option here.
 
anything trojaned should be rebuilt, NO exceptions. take it from an incident handler, rootkits can hide anything.
 
ERage said:
It is indeed, Win 2000 SP4


The two programs I mentioned show you everything running on the machine (including hidden processes) You can manually kill them through process Explorer, and use autoruns to stop them from re-loading upon reboot.

They have nifty features including direct links to google about said process and also you can verify based off of signatures if it is in fact what it says it is.
 
cool, I just stuck them on a disk. At this point I need to get this process stopped temporarily so the server can be put back online. After that I will need to find time to rebuild the machine.

Our IT dept will not allow us to install win2k3, I have no idea why so I will have to rebuild it as a 2k machine. I'm just fearful to plug it back into the network until I have at least isolated the problem and blocked it.
 
The exact same thing happened to a server I controled, the emule.exe process would run and with it would be massive amounts of bandwidth. We backed up, formatted, and re-built the server. This time with much tighter SQL rights, with locked down system accounts, and heavily controlled Remote Desktop access (only one user, which is a renamed administrator account with a random string of letters and numbers for a password.)

Start over, and do security right.
 
Dude, you really got to reformat that thing! Dont put it back online! Just cause you found a hack doesn't mean its the only one! A real pro could have been in there MONTHS ago and installed a rootkit.

You aren't doing anyone a favor by not reformating...
 
Thanks for the sysinternals link. I disabled anything that looked even remotely strange to me and so far i'm watching port activity with active ports and I don't see any misuse. This should tie me over short term. I also just found out that our campus has recently opened up our firewall! I dont know what the hell they are doing but all ports are open at the moment :rant:. I'm going to pick up some Zone Alarm software at lunch.
 
fly said:
Dude, you really got to reformat that thing! Dont put it back online! Just cause you found a hack doesn't mean its the only one! A real pro could have been in there MONTHS ago and installed a rootkit.

You aren't doing anyone a favor by not reformating...

DAMNIT, BUT I DONT WANNA, it isn't even my freaking server....




... but i'm going to do it anyways ffs.
 
Yeah, Id just back up whats important from it and format that bitch.
Theres no telling what kind of crazy shit the haker fgts coulda put on there.
Hell, you could now be a major hub for anything from mp3s to illegal mexican donkey porn.
 
I scanned for porn before I started deleting their files. Absolutely no porn, only techno, regular movies, rap, and other boring crap. What kind of hackers are these :lol:
 
ERage said:
I scanned for porn before I started deleting their files. Absolutely no porn, only techno, regular movies, rap, and other boring crap. What kind of hackers are these :lol:


:shady: dammit , I was hoping for a new hookup on the mexican donkey porn.